Code red is a computer worm that was identified in July 2001, when computers running on Internet Information Services (IIS) web server of Microsoft were found compromised. The after effect of the attack caused a damage of billions of dollars in the summer of 2001.
Marc Maiffret and Ryan Permeh employees of eEye Digital Security discovered this worm when it exploited an existing vulnerability discovered by Riley Hassell.
The named the computer worm, “Code Red” is because they were drinking Code Red Mountain Dew when they confirmed it as a threat.
It displays a text string “Welcome to worm.com Hacked by Chinese!” and it runs on the memory erasing all files present in the hard drive. It infected close to 359,000 hosts on July 19, 2001.
Behaviour of Code Red
Code Red lands on the server in the form of GET /default.ida request on on TCP port 80. By this way the code is developed to exploit a buffer overflow vulnerability in Microsoft’s Internet Information Server (IIS) which is the indexing software. By doing so the code runs within the IIS server. The worm virus is completely run in the memory and cannot be found on the disk. It occupies 3,569 bytes.
The payload of the worm comprised of:
- Distorts the infected website to display:
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
It tries to spread its infection by finding more IIS servers on the Internet from Day 1 and Day 19
Then in infects the system associated with specific IP addresses through Denial of Service attacks from day 20 to Day 27
After which there are no active attacks from Day 28th of the month
When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it was running IIS at all. Apache access logs
Variants of CodeRed
This is a similar variant to the original that was found different in two major ways. The signature of CodeRed II infects the host with a trojan – Virtual Root to help hackers to establish a backdoor to access and control the host server. It replaces takes the place of multiple’s of N’s with X’s
It exploits the “Web Server Folder Traversal” Vulnerability to pass on the infection with new machines. This new variant targets IP addresses in random and sends FTP get request to the victim systems. The FTP get request stimulates the infected machine to download HTTPEXT.dll to an IIS folder that gives way to execute specific commands on the server. This then ensures that .dll file is executed with the URL request and ensures that the DLL to pass on the SVCHOST.exe file into C:\ folder. Codeblue is made different from Codered as it is written on the hard drive and not on the memory.
It is an anti-worm that finds its own way to enter the target machine
Over 2 million computers were infected by Code Red that organizations had to invest $2.75 billion to recover the lost productivity.
Update the Windows OS with the latest security patch. (Microsoft released a security patch update to protect vulnerable systems from Code Red attacks.)
Implement the use of an effective internet security suite that includes antivirus software to scan, detect and remove unknown threats, a firewall that terminates suspicious outbound data traffic from IIS web server to stop the spread of the malware and other types of attacks as well, and most of all containment technology – that quarantines the suspicious threats and executes in an isolated environment to deliver complete protection from such threats like Code red.